The Internet Explorer web browser was officially retired back in June earlier this year and has since been replaced by Microsoft Edge. However, as their technical analysis explains, Office is still using the IE engine to execute the JavaScript that enables the attack, which is why it worked on Windows 7 through 11 and Windows Server 2008 through 2022 machines that haven’t installed new November 2022 security updates.

TAG became aware of the vulnerability when the malicious Microsoft Office documents titled “221031 Seoul Yongsan Itaewon accident response situation (06:00).docx” were uploaded to VirusTotal on October 31, 2022. The documents took advantage of widespread publicity over the tragedy in Itaewon on October 29th, in which 151 people lost their lives in a crowd crush during a Halloween celebration in Seoul.

The document exploited an Internet Explorer 0-day vulnerability found within “jscript9.dll”, the JavaScript engine of Internet Explorer, which could be used to deliver malware or malicious code when rendering a website controlled by the attacker. TAG attributes the attack to a group of North Korean government-backed actors known as APT37, which has previously used similar Internet Explorer 0-day exploits in targeted attacks against, North Korean defectors, policymakers, journalists, human rights activists, and South Korean IE users in general. 

TAG says within the blog post that it “did not recover a final payload for this campaign,” but notes that it previously observed APT37 using similar exploits to deliver malware such as ROKRAT, BLUELIGHT, and DOLPHIN. In this instance, the vulnerability was reported to Microsoft within hours of its discovery on October 31st and was patched out on November 8th.